Frederic Baguelin
Fred is a security researcher at Datadog, focusing on threat research. Fred is a fervent open source advocate and started his career by developing a digital forensics open source framework. He also worked at a CERT (Computer Emergency Response Team) dealing with threat intelligence and digital forensics and incident response and worked with cloud and container technologies. He is part of Botconf organization committee and active contributor of Yeti platform. He regularly speaks at conferences, publishes on new emerging threats and vulnerabilities and is one of Yeti maintainers.
Sessions
The Datadog Threat Research team routinely collects and analyzes potential malware samples from multiple sources such as honeypots, intelligence shared by partners and intel contacts, internal security incidents or Guarddog sourced malicious packages.
From these malware analysis, we extract Indicators of Compromise (IoCs), such as malicious IP addresses, domains, file hashes and other atomic indicators. For example, a cloud crypto-jacking campaign could involve malicious container images associated with an attacker-controlled Dockerhub user. Malware in the Docker images could communicate with a Command and Control (C2) server at a specific IP. The names of the images, along with the Dockerhub username and the C2 IP would be considered atomic indicators in this case.
With the increase of daily analyses, our team had to handle the detonation of various types of samples and built an automated pipeline from data ingestion to detonation and collection contextualised IoCs in our TIP. We built our pipeline by relying on several Open Source projects including eBPF tracers, Threat Intelligence Platform and malware analysis orchestrator.
With this talk we want to share how we implemented and deployed our pipeline and also give feedback and lessons learned while implementing it.